To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

Successful exploitation of the flaw could allow attackers to send a specially crafted HTTP request, upload arbitrary files to the system and overwrite files present on the server.

A directory traversal vulnerability in a commercial WordPress plug-in called WP Cost Estimation & Payment Forms Builder has received a security patch recently. The flaw existed in all the WP Cost Estimation versions before 9.660.

How does it work?

Security researchers from security firm Wordfence came across this new flaw while analyzing additional flaws in the plug-in. They found that hackers have been exploiting the vulnerability in the plug-in to launch attacks in the past months.

In a report published by security firm Wordfence, the researchers explored that hackers were abusing an AJAX-related flaw in the plugin’s upload functionality to save files with absurd extensions such as ‘ngfndfgsdcas.tss’ on targeted sites.

“The action lfb_upload_form was traced to the installed WP Cost Estimation plugin, which allowed us to piece together what had taken place. The installed version of the plugin was outdated, and the AJAX action allowing file uploads through form submissions was exploitable,” said the Wordfence researchers in a blog post.

In the second step of the exploitation process, the attackers would then add a ‘.htaccess file’ in the site’s PHP interpreter. This would enable them to access the file and activate the backdoors by executing the malicious PHP code.

Impact

The vulnerability exists due to input validation error when processing directory traversal sequences. Successful exploitation of the flaw could allow attackers to send a specially crafted HTTP request, upload arbitrary files to the system and overwrite files present on the server. This can even lead to the compromise of systems.

Upon further investigation, researchers also noted that the attackers exploited another AJAX-related functionality in the plug-in to delete configurations of a site and re-configured it to use their malicious database.

CodeCanyon, the platform which sells WP Cost Estimation & Payment Forms Builder, has reported that the vulnerable plugin has been purchased by more than 11,000 users.

While the Wordfence team is still looking into the size and reach of the attacks that can be carried out by exploiting the flaw, a security patch to fix the flaw has been released by the developer of the plug-in, Loopus Plugins.

Ryan Stewart

Ryan is a senior cybersecurity and privacy analyst. He keenly follows the innovation and development in cybersecurity technologies, and loves to educate everyone about the what, why, and how of major incidents in the cybersecurity world.

Who we are

Cyware is a first-of-its-kind, comprehensive cyber situational awareness platform, designed to help you stay informed about the latest happenings in the cyber world with expertly curated news stories and updates.

Our Technology

Let IBM's Watson Find the Right News For You

The cyber threat landscape is changing rapidly, and cybersecurity news has claimed its spot on the front pages in recent months. It's not easy to find the right information from tens of thousands of cyber news articles and feeds published every day. Our machine learning based curation engine brings you the most relevant cyber content based on your needs.

Receive Daily Cyber News in Your Inbox

From the latest cyber security trends and innovations to new malware, vulnerabilities and threat intelligence, we bring you the most up-to date and relevant cyber updates and news alerts.